On 5/9/2018 8:11 PM, Jean-Philippe Méthot wrote:
I currently operate a multi-region cloud split between 2 geographic
locations. I have updated it to Pike not too long ago, but I've been
running into a peculiar issue. Ever since the Pike release, Nova now
asks Keystone if a new project exists in Keystone before configuring the
project’s quotas. However, there doesn’t seem to be any region
restriction regarding which endpoint Nova will query Keystone on. So,
right now, if I create a new project in region one, Nova will query
Keystone in region two. Because my keystone databases are not synched in
real time between each region, the region two Keystone will tell it that
the new project doesn't exist, while it exists in region one Keystone.
Thinking that this could be a configuration error, I tried setting the
region_name in keystone_authtoken, but that didn’t change much of
anything. Right now I am thinking this may be a bug. Could someone
confirm that this is indeed a bug and not a configuration error?
To circumvent this issue, I am considering either modifying the database
by hand or trying to implement realtime replication between both
Keystone databases. Would there be another solution? (beside modifying
the code for the Nova check)
This is the specific code you're talking about:
https://github.com/openstack/nova/blob/stable/pike/nova/api/openstack/identity.py#L35
I don't see region_name as a config option for talking to keystone in Pike:
https://docs.openstack.org/nova/pike/configuration/config.html#keystone
But it is in Queens:
https://docs.openstack.org/nova/queens/configuration/config.html#keystone
That was added in this change:
https://review.openstack.org/#/c/507693/
But I think what you're saying is, since you have multiple regions, the
project could be in any of them at any given time until they synchronize
so configuring nova for a specific region isn't probably going to help
in this case, right?
Isn't this somehow resolved with keystone federation? Granted, I'm not
at all a keystone person, but I'd think this isn't a unique problem.
--
Thanks,
Matt
_______________________________________________
OpenStack-operators mailing list
OpenStack-operators@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
